@fourteensystems/shipguard 0.1.0

package/dist/rules/tenancy-scope-missing.js

@@ -0,0 +1,149 @@
+import { readFileSync } from "node:fs";
+import path from "node:path";
+import fg from "fast-glob";
+export const RULE_ID = "TENANCY-SCOPE-MISSING";
+/**
+ * Prisma methods that modify or read data and should be tenant-scoped.
+ */
+const PRISMA_SCOPED_METHODS = [
+    "findUnique", "findFirst", "findMany",
+    "update", "updateMany",
+    "delete", "deleteMany",
+    "upsert",
+];
+export function run(index, config) {
+    // Only run if the repo uses Prisma
+    if (!index.deps.hasPrisma)
+        return [];
+    // Only run if we can confirm the repo has tenant fields
+    const orgFields = config.hints.tenancy.orgFieldNames;
+    if (!repoHasTenancy(index.rootDir))
+        return [];
+    const findings = [];
+    const severity = config.rules[RULE_ID]?.severity ?? "critical";
+    // Check for Prisma middleware that enforces tenancy globally
+    if (hasPrismaMiddlewareScoping(index.rootDir, orgFields)) {
+        // If middleware handles it, skip — or add a low-confidence informational finding
+        return [];
+    }
+    // Scan all files in include paths for Prisma calls
+    const files = fg.globSync(config.include, {
+        cwd: index.rootDir,
+        ignore: ["**/node_modules/**", ...config.exclude],
+    });
+    for (const file of files) {
+        const src = readSource(index.rootDir, file);
+        if (!src)
+            continue;
+        const unscopedCalls = findUnscopedPrismaCalls(src, orgFields);
+        for (const call of unscopedCalls) {
+            findings.push({
+                ruleId: RULE_ID,
+                severity,
+                confidence: call.confidence,
+                confidenceRationale: call.confidenceRationale,
+                message: `Prisma ${call.method}() call may lack tenant scoping`,
+                file,
+                line: call.line,
+                snippet: call.snippet,
+                evidence: call.evidence,
+                remediation: [
+                    `Add ${orgFields[0] ?? "orgId"} to the where clause`,
+                    "Use a tenant-aware repository helper or Prisma extension",
+                    "If tenancy is enforced via Prisma middleware or RLS, add a waiver",
+                ],
+                tags: ["tenancy", "prisma"],
+            });
+        }
+    }
+    return findings;
+}
+function findUnscopedPrismaCalls(src, orgFields) {
+    const results = [];
+    const lines = src.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        for (const method of PRISMA_SCOPED_METHODS) {
+            const pattern = new RegExp(`\\.(${method})\\s*\\(`);
+            const match = pattern.exec(line);
+            if (!match)
+                continue;
+            // Look at surrounding context (current line + next 10 lines) for the where clause
+            const context = lines.slice(i, Math.min(i + 15, lines.length)).join("\n");
+            // Check if any org field appears in the where clause context
+            const hasOrgField = orgFields.some((field) => {
+                const fieldPattern = new RegExp(`\\b${field}\\b`);
+                return fieldPattern.test(context);
+            });
+            if (hasOrgField)
+                continue; // Scoped — skip
+            // Determine confidence
+            const evidence = [`prisma.*.${method}() without ${orgFields.join("/")} in where clause`];
+            let confidence;
+            let confidenceRationale;
+            if (method === "delete" || method === "deleteMany" || method === "update" || method === "updateMany") {
+                confidence = "high";
+                confidenceRationale = `High: ${method}() is a write operation without tenant scoping field in where clause`;
+                evidence.push("write operation without tenant scoping is high risk");
+            }
+            else {
+                confidence = "med";
+                confidenceRationale = `Medium: ${method}() is a read without tenant scoping (could be intentional for admin views)`;
+            }
+            const snippet = line.trim().slice(0, 120);
+            results.push({
+                method,
+                line: i + 1,
+                confidence,
+                confidenceRationale,
+                snippet,
+                evidence,
+            });
+        }
+    }
+    return results;
+}
+/**
+ * Check if the Prisma schema or codebase has evidence of multi-tenancy.
+ */
+function repoHasTenancy(rootDir) {
+    // Check Prisma schema for tenant fields
+    const schemaFiles = fg.globSync("prisma/schema.prisma", { cwd: rootDir });
+    if (schemaFiles.length > 0) {
+        const schema = readSource(rootDir, schemaFiles[0]);
+        if (schema && /orgId|tenantId|workspaceId|organizationId/i.test(schema)) {
+            return true;
+        }
+    }
+    return false;
+}
+/**
+ * Check if Prisma middleware enforces tenancy globally.
+ */
+function hasPrismaMiddlewareScoping(rootDir, orgFields) {
+    // Look for Prisma middleware or extension files
+    const candidates = fg.globSync(["**/prisma/**/*.{ts,js}", "**/lib/prisma*.{ts,js}", "**/db*.{ts,js}"], { cwd: rootDir, ignore: ["**/node_modules/**"] });
+    for (const file of candidates) {
+        const src = readSource(rootDir, file);
+        if (!src)
+            continue;
+        // Look for $use() middleware or $extends() with query extensions
+        const hasMiddleware = /\$use\s*\(/.test(src) || /\$extends\s*\(/.test(src);
+        if (!hasMiddleware)
+            continue;
+        // Check if it references org fields
+        const hasOrgFieldRef = orgFields.some((f) => src.includes(f));
+        if (hasOrgFieldRef)
+            return true;
+    }
+    return false;
+}
+function readSource(rootDir, file) {
+    try {
+        return readFileSync(path.join(rootDir, file), "utf8");
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=tenancy-scope-missing.js.map

package/dist/rules/tenancy-scope-missing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenancy-scope-missing.js","sourceRoot":"","sources":["../../src/rules/tenancy-scope-missing.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,WAAW,CAAC;AAK3B,MAAM,CAAC,MAAM,OAAO,GAAG,uBAAuB,CAAC;AAE/C;;GAEG;AACH,MAAM,qBAAqB,GAAG;IAC5B,YAAY,EAAE,WAAW,EAAE,UAAU;IACrC,QAAQ,EAAE,YAAY;IACtB,QAAQ,EAAE,YAAY;IACtB,QAAQ;CACT,CAAC;AAEF,MAAM,UAAU,GAAG,CAAC,KAAgB,EAAE,MAAuB;IAC3D,mCAAmC;IACnC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS;QAAE,OAAO,EAAE,CAAC;IAErC,wDAAwD;IACxD,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC;IACrD,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,OAAO,CAAC;QAAE,OAAO,EAAE,CAAC;IAE9C,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,QAAQ,IAAI,UAAU,CAAC;IAE/D,6DAA6D;IAC7D,IAAI,0BAA0B,CAAC,KAAK,CAAC,OAAO,EAAE,SAAS,CAAC,EAAE,CAAC;QACzD,iFAAiF;QACjF,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,mDAAmD;IACnD,MAAM,KAAK,GAAG,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,OAAO,EAAE;QACxC,GAAG,EAAE,KAAK,CAAC,OAAO;QAClB,MAAM,EAAE,CAAC,oBAAoB,EAAE,GAAG,MAAM,CAAC,OAAO,CAAC;KAClD,CAAC,CAAC;IAEH,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,GAAG,GAAG,UAAU,CAAC,KAAK,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QAC5C,IAAI,CAAC,GAAG;YAAE,SAAS;QAEnB,MAAM,aAAa,GAAG,uBAAuB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;QAC9D,KAAK,MAAM,IAAI,IAAI,aAAa,EAAE,CAAC;YACjC,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,OAAO;gBACf,QAAQ;gBACR,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,mBAAmB,EAAE,IAAI,CAAC,mBAAmB;gBAC7C,OAAO,EAAE,UAAU,IAAI,CAAC,MAAM,iCAAiC;gBAC/D,IAAI;gBACJ,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,WAAW,EAAE;oBACX,OAAO,SAAS,CAAC,CAAC,CAAC,IAAI,OAAO,sBAAsB;oBACpD,0DAA0D;oBAC1D,mEAAmE;iBACpE;gBACD,IAAI,EAAE,CAAC,SAAS,EAAE,QAAQ,CAAC;aAC5B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAWD,SAAS,uBAAuB,CAC9B,GAAW,EACX,SAAmB;IAEnB,MAAM,OAAO,GAAmB,EAAE,CAAC;IACnC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAE9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAEtB,KAAK,MAAM,MAAM,IAAI,qBAAqB,EAAE,CAAC;YAC3C,MAAM,OAAO,GAAG,IAAI,MAAM,CAAC,OAAO,MAAM,UAAU,CAAC,CAAC;YACpD,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,IAAI,CAAC,KAAK;gBAAE,SAAS;YAErB,kFAAkF;YAClF,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAE1E,6DAA6D;YAC7D,MAAM,WAAW,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE;gBAC3C,MAAM,YAAY,GAAG,IAAI,MAAM,CAAC,MAAM,KAAK,KAAK,CAAC,CAAC;gBAClD,OAAO,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACpC,CAAC,CAAC,CAAC;YAEH,IAAI,WAAW;gBAAE,SAAS,CAAC,gBAAgB;YAE3C,uBAAuB;YACvB,MAAM,QAAQ,GAAa,CAAC,YAAY,MAAM,cAAc,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;YACnG,IAAI,UAAsB,CAAC;YAC3B,IAAI,mBAA2B,CAAC;YAEhC,IAAI,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,YAAY,IAAI,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,YAAY,EAAE,CAAC;gBACrG,UAAU,GAAG,MAAM,CAAC;gBACpB,mBAAmB,GAAG,SAAS,MAAM,sEAAsE,CAAC;gBAC5G,QAAQ,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;YACvE,CAAC;iBAAM,CAAC;gBACN,UAAU,GAAG,KAAK,CAAC;gBACnB,mBAAmB,GAAG,WAAW,MAAM,4EAA4E,CAAC;YACtH,CAAC;YAED,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;YAE1C,OAAO,CAAC,IAAI,CAAC;gBACX,MAAM;gBACN,IAAI,EAAE,CAAC,GAAG,CAAC;gBACX,UAAU;gBACV,mBAAmB;gBACnB,OAAO;gBACP,QAAQ;aACT,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,OAAe;IACrC,wCAAwC;IACxC,MAAM,WAAW,GAAG,EAAE,CAAC,QAAQ,CAAC,sBAAsB,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;IAC1E,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,UAAU,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC;QACnD,IAAI,MAAM,IAAI,4CAA4C,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;YACxE,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,0BAA0B,CAAC,OAAe,EAAE,SAAmB;IACtE,gDAAgD;IAChD,MAAM,UAAU,GAAG,EAAE,CAAC,QAAQ,CAC5B,CAAC,wBAAwB,EAAE,wBAAwB,EAAE,gBAAgB,CAAC,EACtE,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,oBAAoB,CAAC,EAAE,CACjD,CAAC;IAEF,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QACtC,IAAI,CAAC,GAAG;YAAE,SAAS;QAEnB,iEAAiE;QACjE,MAAM,aAAa,GAAG,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC3E,IAAI,CAAC,aAAa;YAAE,SAAS;QAE7B,oCAAoC;QACpC,MAAM,cAAc,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QAC9D,IAAI,cAAc;YAAE,OAAO,IAAI,CAAC;IAClC,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,UAAU,CAAC,OAAe,EAAE,IAAY;IAC/C,IAAI,CAAC;QACH,OAAO,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,CAAC;IACxD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/util/paths.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Check if a file path matches any of the allowlist glob patterns.
+ * Used by rules to skip files/routes that the user has marked as exempt.
+ */
+export declare function isAllowlisted(filePath: string, allowlistPaths: string[]): boolean;
+//# sourceMappingURL=paths.d.ts.map

package/dist/util/paths.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"paths.d.ts","sourceRoot":"","sources":["../../src/util/paths.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,GAAG,OAAO,CAGjF"}

package/dist/util/paths.js

@@ -0,0 +1,18 @@
+/**
+ * Check if a file path matches any of the allowlist glob patterns.
+ * Used by rules to skip files/routes that the user has marked as exempt.
+ */
+export function isAllowlisted(filePath, allowlistPaths) {
+    if (allowlistPaths.length === 0)
+        return false;
+    return allowlistPaths.some((pattern) => matchGlob(filePath, pattern));
+}
+function matchGlob(filePath, pattern) {
+    const regexStr = pattern
+        .replace(/[.+^${}()|[\]\\]/g, "\\$&")
+        .replace(/\*\*/g, "{{GLOBSTAR}}")
+        .replace(/\*/g, "[^/]*")
+        .replace(/\{\{GLOBSTAR\}\}/g, ".*");
+    return new RegExp(`^${regexStr}$`).test(filePath);
+}
+//# sourceMappingURL=paths.js.map

package/dist/util/paths.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"paths.js","sourceRoot":"","sources":["../../src/util/paths.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,QAAgB,EAAE,cAAwB;IACtE,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC9C,OAAO,cAAc,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC;AACxE,CAAC;AAED,SAAS,SAAS,CAAC,QAAgB,EAAE,OAAe;IAClD,MAAM,QAAQ,GAAG,OAAO;SACrB,OAAO,CAAC,mBAAmB,EAAE,MAAM,CAAC;SACpC,OAAO,CAAC,OAAO,EAAE,cAAc,CAAC;SAChC,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC;SACvB,OAAO,CAAC,mBAAmB,EAAE,IAAI,CAAC,CAAC;IACtC,OAAO,IAAI,MAAM,CAAC,IAAI,QAAQ,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AACpD,CAAC"}

package/package.json

@@ -0,0 +1,55 @@
+{
+  "name": "@fourteensystems/shipguard",
+  "version": "0.1.0",
+  "description": "CI guardrail that blocks unprotected mutation routes in Next.js SaaS",
+  "type": "module",
+  "bin": {
+    "shipguard": "./bin/shipguard.mjs"
+  },
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "bin"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "lint": "tsc --noEmit"
+  },
+  "keywords": [
+    "nextjs",
+    "production-readiness",
+    "static-analysis",
+    "security",
+    "linter",
+    "ci"
+  ],
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/Fourteen-Systems/shipguard.git",
+    "directory": "packages/shipguard"
+  },
+  "homepage": "https://github.com/Fourteen-Systems/shipguard",
+  "bugs": "https://github.com/Fourteen-Systems/shipguard/issues",
+  "engines": {
+    "node": ">=18"
+  },
+  "dependencies": {
+    "commander": "^13.1.0",
+    "fast-glob": "^3.3.3",
+    "picocolors": "^1.1.1"
+  },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "typescript": "^5.7.0",
+    "vitest": "^3.0.0"
+  }
+}